Class RestrictedTrustManager

java.lang.Object
javax.net.ssl.X509ExtendedTrustManager
org.elasticsearch.xpack.core.ssl.RestrictedTrustManager
All Implemented Interfaces:
TrustManager, X509TrustManager

public final class RestrictedTrustManager extends X509ExtendedTrustManager
An X509 trust manager that only trusts connections from a restricted set of predefined network entities (nodes, clients, etc). The trusted entities are defined as a list of predicates on CertificateTrustRestrictions that built from the configured restricted trust file. The values in the restricted trust file are compared to value(s) read from the X509 certificate. If the value(s) read from the X509 certificate match values configured in restricted trust file then restricted trust is established. If there is no match, then restricted trust is not established and the connection should be terminated. Restricted trust should be used in conjunction with additional trust models and is intended to restrict, not provide trust. The values read from the X509 certificate are configurable and the following are supported:
  • subjectAltName.otherName.commonName
  • subjectAltName.dnsName
see also: RestrictedTrustConfig